Safety: EN 954-1 Category 4 and PLC Wiring

[brianafischer 2]

Hello, I was researching the EN 954-1 safety standard used to integrate machine guarding and had a few questions. First of all, let me explain the application. A machine is equipped with an AB PLC, multiple door switches (to enter the cell), an E-stop and a light curtain. The PLC is using a sinking output module (24VDC when ON) to power solenoids in the system. In order to meet Cat. 4, I am using the banner safety module linked below for the E-stop and the light curtain. To be control-reliable, every switch must contain identical contacts (2NO or 2NC). The safety module uses this to determine a fault in the system. The question I have is whether the PLC output power needs to be dropped upon a system "event" (E-stop, light curtain, or door switch) to meet Cat. 4? Or, can I wire all of the solenoid outputs through the safety modules? Please let me know if any of the information above is incorrect and thanks for the help! EN 954 Categories Banner Safety Module Edited 11 Jun 2006 by brianafischer

[Sleepy Wombat 27]

Simple question....do the solenoids contribute to the machine having a CAT 4 safety requirment....?

[panic mode 246]

i don't like sink/source terminology because it's interpreted differently (sinking output that provide +24V when on ---> sounds like quote from Mitsubishi documentation). as for dropping power to the outputs, yes it is common practice to drop power to motion outputs (but not to outputs that control announciators like stack light, horn, indicators etc. or outputs whick do not affect motion) how many e-stops we are talking about and are they all on same module? if multiple devices (E-stop buttons for example) are daisychained or wired to just one controller, you only get up to Cat3. If safety devices (in this case E-Stop buttons but that doesn't matter) are daisychained and wired to same controller, you get maximum Cat3. For E-Stops this is not a problem since it's manual function, used rarely and probably only after problem happened anyway. But you can't do this with gates for example if you plan on achiving Cat4. another problem with hardwired dumb controllers like the Banner you linked to is that in cat4 circuit you need bunch of them and wiring gets quite messy. Specially if you are new to this, I would recommend using integrated solutions. For example there are ready solutions for Cat4 safety gates that reduce wiring and used panel space (like EC-series controller from STI for up to 4 gates): http://www.globalspec.com/featuredproducts...ier=0&deframe=1 It also has non safe outputs for monitoring by PLC etc. If you have to meet Cat4, beware of mechanical interlock switches (ones that use switch with "key" or "tongue"), something like this: http://www.ab.com/safety/prod_directory/in...gue_int_switch/ or this: http://www.ab.com/safety/prod_directory/in...gue_int_switch/ or this: http://www.controlplus.com/newfortress.htm Sound strange, specially for the fortress (this thing is so heavy, one could drive with tank over it without damaging it), but they do fail. I haven't seen one fail yet but some of our larger customers had multiple incidents so now all such switches are complemented with aditional switch. (This was one of the hot topics on last RiA/CSA robotics safety conference i visited year ago) Although they have redundant contacts and electrically they are ok, problem with those (including fortress gate switch, hinge switches etc.) is on mechanical side (single cam or piston actuator). This means that single fault could mean loss of safety function. Common solution is to either not use such devices (alternatives such as transponder type interlock switches are not only easier to mount and wire, they are also cheaper) or to use them in pairs (each wired as one channel). If using pairs it is preffered to use dissimilar products so chance of failure at the same time due fatigue or flaws in design etc. are unlikely. This can be easily done by using common proximity sensor on one channel and the interlock switch on other (proxy also has to be mounted properly to prevent tampering). Note: safety controllers (like the banner unit in your link) use different polarity for input loops to detect cross channel faults. This means that one of the channels is wired as sink and other as source. Keep that in mind if you plan on using sensing device with polarized output such as 3-wire proxy.

[ControlsGirl 2]

Panic mode, Could you post a reference to a document or something that states what is required for certain safety category levels. I'm in a debate with a co-worker and he said that whether or not a safety circuit has an automatic restart and/or whether or not it is self-monitored is not apart of what is considered for safety category ratings. I was taught differently. Now I am trying to dig up some kind of documentation to support this.

[panic mode 246]

there are different standards and requirements. you need to become familiar with local standards and regulations. i am in Canada so I'm used to CSA standards. general machine safeguarding standard is Z432. in addition to that other standards may apply. for example for robots it is Z434, for presses Z142 etc. such documents cover requirements for restarting etc. For example Z432: 6.2.1.9.3 Restart after energy interruption 6.2.5.2.2 Effects of emergency stop and reset commands etc. 4.5.4 Single Channel with Monitoring Single channel safety control systems with monitoring shall include the requirements for single channel, be safety rated, and be checked (preferably automatically) at suitable intervals in accordance with... 4.5.5 Control Reliable Control reliable safety control systems shall be dual channel with monitoring and shall be designed, constructed, and applied such that any single component failure, including monitoring, shall not prevent the stopping action... 4.6.4 Emergency Stop Device Design.... d) the type requiring manual resetting; and e) installed such that resetting the button shall not initiate a restart. etc. note that it does not say that_specific_ safety category has to support this (they all do).

[The Turkey Slayer 5]

Euchner makes a system that allows you to daisy-chain devices and still get cat 4.

[panic mode 246]

what i was referring to is a general case, particular products can be special cases (for example having self-test in each device etc). do you have a link to mentioned product manual?